[ppml] Bogons etc...

william at elan.net william at elan.net
Wed Jan 21 16:29:04 EST 2004 

On Wed, 21 Jan 2004 Michael.Dillon at radianz.com wrote:

> >Further, I think the place to do this is with DNS, much like many
> >of the spam black lists. 
Its been done with dns, works fine (except cases when RIRs abroptly change 
location of their data files and notify about it several days later).
If you're interested try bogons.dnsiplists.completewhois.com
(it'll report 127.0.0.2 for all unallocated ips)

> think we need to agree on the principle first, then
> sort out what will be published and only then decide on
> the mechanism for publishing.
RIRs are already publishing such information using "statistics files" for 
that, see ftp://ftp.arin.net/pub/stats/
This data is ok for new space allocated by RIRs but have number of 
serious mistakes for legacy spaces. I track it down on daily basis in 
automated way as far as inaccuraces between RIR whois and RIR statistics 
files, see http://www.completewhois.com/bogons/ipwhois_data_analysis.htm

I'll cleanup my code and release utility to convert statistics files 
to bogon list in the next couple month as part of larger ip list 
conversion utility that I'll release as gnu open source code.

> Today we use the horribly broken whois protocol and
> the much better (but somewhat obscure) BGP protocol 
BGP protocol is locking necessary tools to be able to correctly use bogon 
feed (Cymru approach is a hack and causes pains to setup). There is a draft
ready, see http://arneill-py.sacramento.ca.us/draft-py-idr-redisfilter-00.txt
and we're just waiting for vendors to implement it. Once done you'll see 
not only bogon feeds but other feeds as well, such as for spam filtering.

> the ubiquitous (but primitive) DNS protocol. The IETF has
> also done a lot of work on creating a scalable directory
> access protocol (LDAP) that is widely deployed in corporate
> networks but strangely ignored on the Internet.
Its not hard to publish such list in LDAP, the question is if it would 
be used? There are no tools that change router config based on LDAP data, 
and to my knowledge firewalls do not have such tools for LDAP feed either, 
nor mail server software, etc.

> In any case, like you, I'd like to see a mechanism that
> is scriptable by all concerned. Whois has show that it
> can't do that consistently. We've seen text parsing problems
> on both the server end and the client end.
There is RPSL definition for whois datathat is next layer up above whois 
protocol. RPSL is used for routing database (as published by ARIN for 
example) and is easily parseable and there are tools to convert this to be 
used for router configurations and firewall configurations. Publishing 
information by RPSL is a good idea that ARIN should consider doing instead 
of continuing to use its own non-standard WHOIS format (note: RIPE, APNIC, 
LACNIC are all using RPSL for whois data). 

As far as bogons, I've floated idea around to work on special filtering 
definition for that (current ones can be used if its plain IANA-only 
bogons as cymru is doing, but full list of unallocated blocks as RIRs 
are publishing in statistics files is too large and requires some new 
approach). There were not enough volunteers when I first mentioned in at 
NANOG to work on it, but if people are interested I have mailing list 
setup for just that purposes and I want to finish this approach as well. 
I would not be against if RIRs started doing some kind of route database 
publishing of bogon lists afterwards (considering that each RIR, except 
LACNIC, already is maintaining routing database for its users).

> DNS, BGP and LDAP all potentially solve the parsing problems
> and all are scriptable. My personal opinion is that LDAP would
> be a better solution because it supports schemas which makes it
> darn near impossible to create a parsing problem.
> 
> Anyone can set up a box with BIND or Zebra or OpenLDAP to receive
> a data feed and integrate it with their internal systems. 
Please do it. And release such software as open source and have at least 
two confirmed users (besides your own). After that come back here
or to me personally and I promise you LDAP bogon feed will be ready in 
less then a week.

> If we stick to DNS and LDAP then it is easy to turn any
> Python/Perl/TCL/Ruby script into a DNS or LDAP client so there
> is even less infrastructure required. 
Talking about writing software is easy, actually doing is not.

> But what do we publish? Who is responsible? What
> are the limits?
> 
> That's where we need some policy work to be done.
ARIN never liked idea of policies that effect what it considers to be its 
operations (most of my whois ideas never went through policy process).

-- 
William Leibzon
Elan Networks
william at elan.net

More information about the ARIN-PPML mailing list